Protect against cyber security threats
Overview
This standard covers the competences needed for non-cyber security specialists to contribute towards the cyber security resilience of an organisation. This includes the ability to protect against cyber security threats by following organisational policies and procedures that document the cyber security controls to be utilised.
Effective cyber security resilience occurs when not only cyber security professionals, but also the wider workforce are aware of the threats and vulnerabilities that exist both within and outside of an organisation. This standard is for those who are not cyber security professionals, but who are required to adopt cyber resilience practices and procedures whilst undertaking their own specialised tasks or functions.
The underpinning knowledge required to meet this standard will provide an understanding of the cyber security controls, tools and techniques, in order to defend against threats.
Performance criteria
You must be able to:
locate and review organisational cyber security policies to comply with them in the workplace
identify the technical and administrative cyber security controls implemented by organisations to contribute to cyber security resilience
maintain anti-malware protection to protect computer systems and data in line with organisational requirements
identify fraudulent communication phishing attempts (including email, instant message, text message or telephone calls) and respond to them
comply with organisational identity and access control policies and procedures when accessing different computer systems to maintain data security
apply data encryption to secure sensitive data (at rest and in transit) in line with organisational standards
select strong, unique passwords and preserve their non-disclosure in line with organisational password policies and procedures
use all available factors to provide multifactor authentication in line with organisational password policies and procedures
maintain software versions in line with organisational policies and standards
identify and remove software that is no longer supported or required in line with organisational policies and procedures
follow organisational standards for secure use of all devices in the work environment to maintain systems security
follow secure usage guidelines for unsecured USB ports and CD drives to prevent malicious or accidental transfer of malware to organisational systems and unauthorised extraction of data
maintain up to date cyber security awareness training in line with organisational requirements
Knowledge and Understanding
You need to know and understand:
the need for cyber security controls to protect privacy and the confidentiality, integrity and availability of data
your organisation's policies and procedures for cyber security
- how vulnerabilities can be mitigated through administrative controls
- the phishing risks that can arise from communications (including email, messaging and telephone)
- the role of software identity and access controls to restrict admission of different levels of authorised users and to grant privileged operations
- how physical and environmental controls reduce the risk posed by threats within the physical environment, including natural or environmental hazards and physical intrusion by unauthorised individuals
why the organisation's computer network infrastructure is secured with appropriate technologies and processes, including switches, firewalls, segregation of duties and segmentation of computer networks into smaller stronger partitions
the need to identify and secure physical communications assets such as cabling, unsecured USB ports and CD read drives
- why passwords used across business and social domains should be discrete, strong and unique
- the different types of multi factor authentication (MFA) that are used in access control systems
- the systems and procedures for encrypting sensitive data both in transit and at rest
- the importance of keeping software versions up to date in line with organisational policies
- the need to retire software that is no longer supported or required by the organisation
- the importance of applying security controls across all devices whether fixed, mobile or from outside the organisation
- the need to keep up to date with training and to manage own learning whether prescribed by the organisation or self-directed